🐸 Versioned release#855
Merged
Merged
Conversation
ae88950 to
3c7a37c
Compare
5bab5ca to
b15967d
Compare
8b1f510 to
0759f4b
Compare
0759f4b to
3bfa214
Compare
@varlock/astro-integration@1.1.1 @varlock/cloudflare-integration@1.2.1 @varlock/nextjs-integration@1.1.4 @varlock/vite-integration@1.2.1 env-spec-language@0.2.5 varlock@1.10.0
3bfa214 to
5db438d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR was created and will be kept in sync by bumpy based on your bump files (in
.bumpy/). Merge it when you are ready to release the packages listed below:varlock1.9.0 → 1.10.0 CHANGELOG.mdAccept-Encoding: gzip— could receive leaked sensitive values the scanner should have blocked. Brotli and zstd responses are now scanned too, and compressed chunks containing a leak fail closed (the response is killed) instead of passing through. (bump file)Note: since most browser traffic previously bypassed the scanner, an app with an existing undetected leak will start seeing those responses blocked after upgrading — look for
DETECTED LEAKED SENSITIVE CONFIGin server logs, which names the offending config key.varlock/env(fixes stale values after env reloads when a bundler duplicates the module, including cleanup ofprocess.envkeys removed between reloads), andnode:cryptois loaded lazily — with encrypted env blobs decrypting via WebCrypto on edge runtimes that lack it entirely (e.g. Vercel Edge). Minimum supported Node version is now 22.3. (bump file)@generatePythonEnv,@generateRustEnv,@generateGoEnv,@generatePhpEnv). Each emits a self-contained, idiomatic module — typed coerced values, a loader that parses the injected env, and aSENSITIVE_KEYSconstant — so it's usable out of the box. The TypeScript generator moves to@generateTsTypesand gains options to controlprocess.env/import.meta.envaugmentation and a monorepo-friendlyexposeEnv=localmode.@generateTypes(lang=ts)still works as a deprecated alias. Thevarlock typegencommand is renamed tovarlock codegen(withtypegenkept as a deprecated alias). Note:@disableProcessEnvInjectionnow requires a statictrue/falsevalue — env-dependent values likeforEnv(prod)are a schema error, since generated code must not differ per environment. (bump file)coercedTypeso generated env modules type their fields correctly (previously they always emitted as strings) (bump file)@varlock/astro-integration1.1.0 → 1.1.1 (cascade) CHANGELOG.md@varlock/cloudflare-integration1.2.0 → 1.2.1 (cascade) CHANGELOG.md@varlock/nextjs-integration1.1.3 → 1.1.4 CHANGELOG.mdloadEnvConfig, so the extra env-file watchers were never installed — watcher ownership is now claimed by whichever process loads env first; (2) on turbopack, non-sensitiveENV.xvalues were statically inlined into server files at compile time, so reloaded values were never served — in dev, server-side (node runtime) files now read env through the runtime proxy, which stays fresh across reloads. Client components and edge files still inline values (required), so those keep needing a page refresh after a full recompile. (bump file)@varlock/vite-integration1.2.0 → 1.2.1 CHANGELOG.mdenv-spec-language0.2.4 → 0.2.5 CHANGELOG.md@generatePythonEnv,@generateRustEnv,@generateGoEnv,@generatePhpEnv). Each emits a self-contained, idiomatic module — typed coerced values, a loader that parses the injected env, and aSENSITIVE_KEYSconstant — so it's usable out of the box. The TypeScript generator moves to@generateTsTypesand gains options to controlprocess.env/import.meta.envaugmentation and a monorepo-friendlyexposeEnv=localmode.@generateTypes(lang=ts)still works as a deprecated alias. Thevarlock typegencommand is renamed tovarlock codegen(withtypegenkept as a deprecated alias). Note:@disableProcessEnvInjectionnow requires a statictrue/falsevalue — env-dependent values likeforEnv(prod)are a schema error, since generated code must not differ per environment. (bump file)